Bountytalk - Forums Advertising & Bounty Hub
Other Bounties => Bug bounty programs => Topic started by: Angelina on April 18, 2023, 06:15:59 pm
-
Submit bug report: http://www.appdirect.com
AppDirect's Private Bug Bounty Program
AppDirect maintains a private bug bounty program since 2018. The program is invitation-only based on factors like the researcher’s reputation and previous work.
How does a researcher qualify to enter this program?
Our team individually invites researchers to enter the program. Typically, these are individuals who have established reputations, non-negative signals, and clear records with zero code of conduct violations. At times, we may also reach out to additional reputable individuals we believe would benefit the program.
Can I still submit a bug to AppDirect even though I am not part of the program?
Yes. If you have found an issue with our product i.e https://marketplace.appsmart.com/, www.appdirect.com, please send out an email notification to bugbounty@appdirect.com. We encourage anyone to report vulnerabilities that could impact AppDirect and our customers.
All valid reports will be reviewed and assessed by AppDirect's security team to determine if it is eligible. AppDirect shall respond to eligible submissions with a proposed timeline for remediation and steps to handle any other issues.
What is out of scope for vulnerability disclosure?
Social engineering of AppDirect employees, contractors, vendors, or service providers.
Physical attacks against AppDirect employees, offices, and data centres.
Any vulnerability obtained through the compromise of AppDirect customer or employee accounts.
Being an individual on, or residing in any country on, any U.S. sanctions lists.
Subdomain takeover.
Issues with the SPF, DKIM, or DMARC records on appdirect.com or other AppDirect domains.
Clickjacking and Tab nabbing vulnerabilities.
Denial of service attacks at the network layer.
Software version disclosure
CSV and Hyperlink Injections
Missing best practices in SSL/TLS configuration.
CSRF with minimal security implications.
Self-XSS without a reasonable attack scenario.
Vulnerability guidelines
Critical
Severity level includes but is not limited to:
Vulnerabilities that can compromise the confidentiality, integrity, or availability of production and corporate resources and/or data with limited exploitation difficulty and/or attacker skill.
Vulnerabilities that could be easily exploited by a remote or unauthenticated attacker and lead to system compromise and/or exposure of highly sensitive or customer data of any kind without requiring user interaction.
High
Severity level includes but is not limited to:
Vulnerabilities that can compromise the confidentiality, integrity, or availability of production and corporate resources and data.
Vulnerabilities that could be easily exploited by an internal and/or external, authenticated/unauthenticated attacker and lead to system compromise and/or exposure of highly sensitive or customer data without requiring user interaction.
Vulnerabilities that allow local users to gain increased privileges.
Vulnerabilities that allow unauthenticated remote users to view sensitive information.
Medium
Severity level includes but is not limited to:
Vulnerabilities that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity, or availability of resources, under certain circumstances.
Vulnerabilities that could have had a critical or high impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.
Low
Severity level includes but is not limited to:
Vulnerabilities that may be more difficult to exploit but could lead to minimal compromise of the confidentiality, integrity, or availability of resources under unlikely circumstances.
These types of vulnerabilities require unlikely circumstances to be able to be exploited, or where a successful exploit would have minimal consequences.
Vulnerability Severity Range
1 Remote Code Execution Critical
2 SQL Injection Medium - High
3 XXE Medium- High
4 XSS Low - High
5 Server-Side Request Forgery High - Critical
6 Authentication/Authorization Bypass (Broken Access Control) Low - Critical
7 Privilege Escalation Low - High
8 Security Misconfiguration Low - Medium
Vulnerabilities not in the above list will be evaluated case by case.
Domains
https://marketplace.appsmart.com
https://appdirect.com